Merge pull request #637 from michallowicki/mcrt

Remove direct support for ManagedCertificate CRD

Gopkg.toml

@@ -64,7 +64,3 @@ ignored = ["k8s.io/kubernetes/pkg/api"]
 [[constraint]]
   name = "github.com/kr/pretty"
   version = "0.1.0"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/GoogleCloudPlatform/gke-managed-certs"

cmd/glbc/main.go

@@ -23,7 +23,6 @@ import (
 	"os"
 	"time"
 
-	managedcertificatesclient "github.com/GoogleCloudPlatform/gke-managed-certs/pkg/clientgen/clientset/versioned"
 	"github.com/golang/glog"
 	flag "github.com/spf13/pflag"
 
@@ -90,12 +89,6 @@ func main() {
 		glog.Fatalf("Failed to create kubernetes client for leader election: %v", err)
 	}
 
-	// Ingress only reads status of ManagedCertificate CR which is set in another component.
-	mcrtClient, err := managedcertificatesclient.NewForConfig(kubeConfig)
-	if err != nil {
-		glog.Fatalf("Failed to create Managed Certificates client: %v", err)
-	}
-
 	var backendConfigClient backendconfigclient.Interface
 	if flags.F.EnableBackendConfig {
 		crdClient, err := crdclient.NewForConfig(kubeConfig)
@@ -129,14 +122,13 @@ func main() {
 	ctxConfig := ingctx.ControllerContextConfig{
 		NEGEnabled:                    enableNEG,
 		BackendConfigEnabled:          flags.F.EnableBackendConfig,
-		ManagedCertificateEnabled:     flags.F.Features.ManagedCertificates,
 		Namespace:                     flags.F.WatchNamespace,
 		ResyncPeriod:                  flags.F.ResyncPeriod,
 		DefaultBackendSvcPortID:       defaultBackendServicePortID,
 		HealthCheckPath:               flags.F.HealthCheckPath,
 		DefaultBackendHealthCheckPath: flags.F.DefaultSvcHealthCheckPath,
 	}
-	ctx := ingctx.NewControllerContext(kubeClient, backendConfigClient, mcrtClient, cloud, namer, ctxConfig)
+	ctx := ingctx.NewControllerContext(kubeClient, backendConfigClient, cloud, namer, ctxConfig)
 	go app.RunHTTPServer(ctx.HealthCheck)
 
 	if !flags.F.LeaderElection.LeaderElect {

pkg/annotations/ingress.go

@@ -65,12 +65,6 @@ const (
 	// This is only set for ingresses with ingressClass = "gce-multi-cluster"
 	InstanceGroupsAnnotationKey = "ingress.gcp.kubernetes.io/instance-groups"
 
-	// ManagedCertificates represents the specific ManagedCertificate resources for
-	// the Ingress controller to use to terminate SSL. The controller *does not*
-	// manage ManagedCertificate resources, it is the user's responsibility to
-	// create/delete them.
-	ManagedCertificates = "gke.googleapis.com/managed-certificates"
-
 	// SuppressFirewallXPNErrorKey is the annotation key used by firewall
 	// controller whether to supress firewallXPNError.
 	SuppressFirewallXPNErrorKey = "networking.gke.io/suppress-firewall-xpn-error"
@@ -125,14 +119,6 @@ func (ing *Ingress) IngressClass() string {
 	return val
 }
 
-func (ing *Ingress) ManagedCertificates() string {
-	val, ok := ing.v[ManagedCertificates]
-	if !ok {
-		return ""
-	}
-	return val
-}
-
 // SuppressFirewallXPNError returns the SuppressFirewallXPNErrorKey flag.
 // False by default.
 func (ing *Ingress) SuppressFirewallXPNError() bool {

pkg/context/context.go

@@ -17,8 +17,6 @@ import (
 	"sync"
 	"time"
 
-	managedcertificatesclient "github.com/GoogleCloudPlatform/gke-managed-certs/pkg/clientgen/clientset/versioned"
-	managedcertificatesv1alpha1 "github.com/GoogleCloudPlatform/gke-managed-certs/pkg/clientgen/informers/externalversions/gke.googleapis.com/v1alpha1"
 	"github.com/golang/glog"
 
 	apiv1 "k8s.io/api/core/v1"
@@ -51,13 +49,12 @@ type ControllerContext struct {
 
 	ControllerContextConfig
 
-	IngressInformer            cache.SharedIndexInformer
-	ServiceInformer            cache.SharedIndexInformer
-	BackendConfigInformer      cache.SharedIndexInformer
-	PodInformer                cache.SharedIndexInformer
-	NodeInformer               cache.SharedIndexInformer
-	EndpointInformer           cache.SharedIndexInformer
-	ManagedCertificateInformer cache.SharedIndexInformer
+	IngressInformer       cache.SharedIndexInformer
+	ServiceInformer       cache.SharedIndexInformer
+	BackendConfigInformer cache.SharedIndexInformer
+	PodInformer           cache.SharedIndexInformer
+	NodeInformer          cache.SharedIndexInformer
+	EndpointInformer      cache.SharedIndexInformer
 
 	healthChecks map[string]func() error
 
@@ -69,11 +66,10 @@ type ControllerContext struct {
 
 // ControllerContextConfig encapsulates some settings that are tunable via command line flags.
 type ControllerContextConfig struct {
-	NEGEnabled                bool
-	BackendConfigEnabled      bool
-	ManagedCertificateEnabled bool
-	Namespace                 string
-	ResyncPeriod              time.Duration
+	NEGEnabled           bool
+	BackendConfigEnabled bool
+	Namespace            string
+	ResyncPeriod         time.Duration
 	// DefaultBackendSvcPortID is the ServicePortID for the system default backend.
 	DefaultBackendSvcPortID       utils.ServicePortID
 	HealthCheckPath               string
@@ -84,7 +80,6 @@ type ControllerContextConfig struct {
 func NewControllerContext(
 	kubeClient kubernetes.Interface,
 	backendConfigClient backendconfigclient.Interface,
-	mcrtClient managedcertificatesclient.Interface,
 	cloud *gce.GCECloud,
 	namer *utils.Namer,
 	config ControllerContextConfig) *ControllerContext {
@@ -107,9 +102,6 @@ func NewControllerContext(
 	if config.BackendConfigEnabled {
 		context.BackendConfigInformer = informerbackendconfig.NewBackendConfigInformer(backendConfigClient, config.Namespace, config.ResyncPeriod, utils.NewNamespaceIndexer())
 	}
-	if config.ManagedCertificateEnabled {
-		context.ManagedCertificateInformer = managedcertificatesv1alpha1.NewManagedCertificateInformer(mcrtClient, config.Namespace, config.ResyncPeriod, utils.NewNamespaceIndexer())
-	}
 
 	return context
 }
@@ -128,9 +120,6 @@ func (ctx *ControllerContext) HasSynced() bool {
 	if ctx.BackendConfigInformer != nil {
 		funcs = append(funcs, ctx.BackendConfigInformer.HasSynced)
 	}
-	if ctx.ManagedCertificateInformer != nil {
-		funcs = append(funcs, ctx.ManagedCertificateInformer.HasSynced)
-	}
 	for _, f := range funcs {
 		if !f() {
 			return false
@@ -192,9 +181,6 @@ func (ctx *ControllerContext) Start(stopCh chan struct{}) {
 	if ctx.BackendConfigInformer != nil {
 		go ctx.BackendConfigInformer.Run(stopCh)
 	}
-	if ctx.ManagedCertificateInformer != nil {
-		go ctx.ManagedCertificateInformer.Run(stopCh)
-	}
 }
 
 // Ingresses returns the store of Ingresses.

pkg/controller/controller.go

@@ -23,7 +23,6 @@ import (
 	"sync"
 	"time"
 
-	mcrtv1alpha1 "github.com/GoogleCloudPlatform/gke-managed-certs/pkg/clientgen/listers/gke.googleapis.com/v1alpha1"
 	"github.com/golang/glog"
 
 	apiv1 "k8s.io/api/core/v1"
@@ -104,10 +103,6 @@ func NewLoadBalancerController(
 	healthChecker := healthchecks.NewHealthChecker(ctx.Cloud, ctx.HealthCheckPath, ctx.DefaultBackendHealthCheckPath, ctx.ClusterNamer, ctx.DefaultBackendSvcPortID.Service)
 	instancePool := instances.NewNodePool(ctx.Cloud, ctx.ClusterNamer)
 	backendPool := backends.NewPool(ctx.Cloud, ctx.ClusterNamer)
-	var mcrtLister mcrtv1alpha1.ManagedCertificateLister
-	if ctx.ManagedCertificateEnabled {
-		mcrtLister = mcrtv1alpha1.NewManagedCertificateLister(ctx.ManagedCertificateInformer.GetIndexer())
-	}
 
 	lbc := LoadBalancerController{
 		ctx:           ctx,
@@ -118,7 +113,7 @@ func NewLoadBalancerController(
 		hasSynced:     ctx.HasSynced,
 		nodes:         NewNodeController(ctx, instancePool),
 		instancePool:  instancePool,
-		l7Pool:        loadbalancers.NewLoadBalancerPool(ctx.Cloud, ctx.ClusterNamer, mcrtLister, ctx),
+		l7Pool:        loadbalancers.NewLoadBalancerPool(ctx.Cloud, ctx.ClusterNamer, ctx),
 		backendSyncer: backends.NewBackendSyncer(backendPool, healthChecker, ctx.ClusterNamer, ctx.BackendConfigEnabled),
 		negLinker:     backends.NewNEGLinker(backendPool, ctx.Cloud, ctx.ClusterNamer),
 		igLinker:      backends.NewInstanceGroupLinker(instancePool, backendPool, ctx.ClusterNamer),
@@ -578,14 +573,13 @@ func (lbc *LoadBalancerController) toRuntimeInfo(ing *extensions.Ingress, urlMap
 	}
 
 	return &loadbalancers.L7RuntimeInfo{
-		Name:                k,
-		TLS:                 tls,
-		TLSName:             annotations.UseNamedTLS(),
-		Ingress:             ing,
-		ManagedCertificates: annotations.ManagedCertificates(),
-		AllowHTTP:           annotations.AllowHTTP(),
-		StaticIPName:        annotations.StaticIPName(),
-		UrlMap:              urlMap,
+		Name:         k,
+		TLS:          tls,
+		TLSName:      annotations.UseNamedTLS(),
+		Ingress:      ing,
+		AllowHTTP:    annotations.AllowHTTP(),
+		StaticIPName: annotations.StaticIPName(),
+		UrlMap:       urlMap,
 	}, nil
 }
 

pkg/controller/controller_test.go

@@ -62,11 +62,11 @@ func newLoadBalancerController() *LoadBalancerController {
 		HealthCheckPath:               "/",
 		DefaultBackendHealthCheckPath: "/healthz",
 	}
-	ctx := context.NewControllerContext(kubeClient, backendConfigClient, nil, fakeGCE, namer, ctxConfig)
+	ctx := context.NewControllerContext(kubeClient, backendConfigClient, fakeGCE, namer, ctxConfig)
 	lbc := NewLoadBalancerController(ctx, stopCh)
 	// TODO(rramkumar): Fix this so we don't have to override with our fake
 	lbc.instancePool = instances.NewNodePool(instances.NewFakeInstanceGroups(sets.NewString(), namer), namer)
-	lbc.l7Pool = loadbalancers.NewLoadBalancerPool(loadbalancers.NewFakeLoadBalancers(clusterUID, namer), namer, nil, events.RecorderProducerMock{})
+	lbc.l7Pool = loadbalancers.NewLoadBalancerPool(loadbalancers.NewFakeLoadBalancers(clusterUID, namer), namer, events.RecorderProducerMock{})
 	lbc.instancePool.Init(&instances.FakeZoneLister{Zones: []string{"zone-a"}})
 
 	lbc.hasSynced = func() bool { return true }

pkg/controller/translator/translator_test.go

@@ -58,7 +58,7 @@ func fakeTranslator(negEnabled, backendConfigEnabled bool) *Translator {
 		HealthCheckPath:               "/",
 		DefaultBackendHealthCheckPath: "/healthz",
 	}
-	ctx := context.NewControllerContext(client, backendConfigClient, nil, nil, namer, ctxConfig)
+	ctx := context.NewControllerContext(client, backendConfigClient, nil, namer, ctxConfig)
 	gce := &Translator{
 		ctx: ctx,
 	}

pkg/firewalls/controller_test.go

@@ -47,7 +47,7 @@ func newFirewallController() *FirewallController {
 		DefaultBackendSvcPortID: test.DefaultBeSvcPort.ID,
 	}
 
-	ctx := context.NewControllerContext(kubeClient, backendConfigClient, nil, fakeGCE, namer, ctxConfig)
+	ctx := context.NewControllerContext(kubeClient, backendConfigClient, fakeGCE, namer, ctxConfig)
 	fwc := NewFirewallController(ctx, []string{"30000-32767"})
 	fwc.hasSynced = func() bool { return true }
 

pkg/flags/flags.go

@@ -129,21 +129,18 @@ type Features struct {
 	NEG bool
 	// NEGExposed enables using standalone (exposed) NEGs
 	NEGExposed bool
-	// ManagedCertificates enables using ManagedCertificate CRD
-	ManagedCertificates bool
 	// FinalizerAdd enables adding a finalizer on Ingress
 	FinalizerAdd bool
 	// FinalizerRemove enables removing a finalizer on Ingress.
 	FinalizerRemove bool
 }
 
 var DefaultFeatures = &Features{
-	Http2:               true,
-	NEG:                 true,
-	NEGExposed:          true,
-	ManagedCertificates: false,
-	FinalizerAdd:        false,
-	FinalizerRemove:     false,
+	Http2:           true,
+	NEG:             true,
+	NEGExposed:      true,
+	FinalizerAdd:    false,
+	FinalizerRemove: false,
 }
 
 func EnabledFeatures() *Features {
@@ -220,7 +217,6 @@ L7 load balancing. CSV values accepted. Example: -node-port-ranges=80,8080,400-5
 	leaderelectionconfig.BindFlags(&F.LeaderElection.LeaderElectionConfiguration, flag.CommandLine)
 	flag.StringVar(&F.LeaderElection.LockObjectNamespace, "lock-object-namespace", F.LeaderElection.LockObjectNamespace, "Define the namespace of the lock object.")
 	flag.StringVar(&F.LeaderElection.LockObjectName, "lock-object-name", F.LeaderElection.LockObjectName, "Define the name of the lock object.")
-	flag.BoolVar(&F.Features.ManagedCertificates, "enable-managed-certificates", F.Features.ManagedCertificates, "Enable ManagedCertificates.")
 	flag.DurationVar(&F.NegGCPeriod, "neg-gc-period", 120*time.Second,
 		`Relist and garbage collect NEGs this often.`)
 	flag.StringVar(&F.NegSyncerType, "neg-syncer-type", "transaction", "Define the NEG syncer type to use. Valid values are \"batch\" and \"transaction\"")

pkg/loadbalancers/certificates.go

@@ -24,23 +24,12 @@ import (
 	"github.com/golang/glog"
 	compute "google.golang.org/api/compute/v1"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/ingress-gce/pkg/flags"
 	"k8s.io/ingress-gce/pkg/utils"
 )
 
 const SslCertificateMissing = "SslCertificateMissing"
 
 func (l *L7) checkSSLCert() error {
-	if flags.F.Features.ManagedCertificates {
-		// Handle annotation managed-certificates
-		managedSslCerts, used, err := l.getManagedCertificates()
-		if used {
-			l.sslCerts = managedSslCerts
-			return err
-		}
-	}
-
 	// Handle annotation pre-shared-cert
 	used, preSharedSslCerts, err := l.getPreSharedCertificates()
 	if used {
@@ -144,45 +133,6 @@ func (l *L7) getSslCertificates(names []string) ([]*compute.SslCertificate, erro
 	return result, nil
 }
 
-// getManagedCertificates fetches SslCertificates specified via managed-certificates annotation.
-func (l *L7) getManagedCertificates() ([]*compute.SslCertificate, bool, error) {
-	if l.runtimeInfo.ManagedCertificates == "" {
-		return nil, false, nil
-	}
-
-	mcrtsNames := utils.SplitAnnotation(l.runtimeInfo.ManagedCertificates)
-	mcrts, err := l.mcrt.ManagedCertificates(l.runtimeInfo.Ingress.Namespace).List(labels.Everything())
-	if err != nil {
-		return nil, true, err
-	}
-
-	var sslCertsNames []string
-	for _, mcrt := range mcrts {
-		found := false
-		for _, mcrtName := range mcrtsNames {
-			if mcrtName == mcrt.Name {
-				found = true
-				break
-			}
-		}
-
-		if !found {
-			continue
-		}
-
-		if mcrt.Status.CertificateName != "" {
-			sslCertsNames = append(sslCertsNames, mcrt.Status.CertificateName)
-		}
-	}
-
-	sslCerts, err := l.getSslCertificates(sslCertsNames)
-	if err != nil {
-		return sslCerts, true, fmt.Errorf("managed-certificates errors: %s", err.Error())
-	}
-
-	return sslCerts, true, nil
-}
-
 // getPreSharedCertificates fetches SslCertificates specified via pre-shared-cert annotation.
 func (l *L7) getPreSharedCertificates() (bool, []*compute.SslCertificate, error) {
 	if l.runtimeInfo.TLSName == "" {

pkg/loadbalancers/l7.go

@@ -21,7 +21,6 @@ import (
 	"fmt"
 	"strings"
 
-	mcrt "github.com/GoogleCloudPlatform/gke-managed-certs/pkg/clientgen/listers/gke.googleapis.com/v1alpha1"
 	"github.com/golang/glog"
 
 	compute "google.golang.org/api/compute/v1"
@@ -56,8 +55,6 @@ type L7RuntimeInfo struct {
 	TLSName string
 	// Ingress is the processed Ingress API object.
 	Ingress *extensions.Ingress
-	// ManagedCertificates is a comma-separated list of managed SSL certificates to use.
-	ManagedCertificates string
 	// AllowHTTP will not setup :80, if TLS is nil and AllowHTTP is set,
 	// no loadbalancer is created.
 	AllowHTTP bool
@@ -114,8 +111,6 @@ type L7 struct {
 	oldSSLCerts []*compute.SslCertificate
 	// namer is used to compute names of the various sub-components of an L7.
 	namer *utils.Namer
-	// mcrt is an interface to ManagedCertificate resources.
-	mcrt mcrt.ManagedCertificateLister
 	// recorder is used to generate k8s Events.
 	recorder record.EventRecorder
 }
@@ -140,7 +135,7 @@ func (l *L7) edgeHop() error {
 		}
 	}
 	// Defer promoting an ephemeral to a static IP until it's really needed.
-	sslConfigured := l.runtimeInfo.TLS != nil || l.runtimeInfo.TLSName != "" || l.runtimeInfo.ManagedCertificates != ""
+	sslConfigured := l.runtimeInfo.TLS != nil || l.runtimeInfo.TLSName != ""
 	if l.runtimeInfo.AllowHTTP && sslConfigured {
 		glog.V(3).Infof("checking static ip for %v", l.Name)
 		if err := l.checkStaticIP(); err != nil {